Charming Kitten hackers use new ‘NokNok’ malware for macOS

Security researchers observed a new campaign they attribute to the Charming Kitten APT group where hackers used new NokNok malware that targets macOS systems.

The campaign started in May and relies on a different infection chain than previously observed, with LNK files deploying the payloads instead of the typical malicious Word documents seen in past attacks from the group.

Charming Kitten is also known as APT35 or Phosphorus and has launched at least 30 operations in 14 countries since 2015, according to according to Mandiant.

Google has linked the threat actor to the Iranian state, more specifically, the Islamic Revolutionary Guard Corps (IRGC).

In September 2022, the U.S. government managed to identify and charge members of the threat group.

Proofpoint reports that the threat actor has now abandoned the macro-based infection methods involving laced Word documents and instead deploys LNK files to load their payloads.

Regarding the phishing lures and social engineering methods seen in the campaign, the hackers posed as nuclear experts from the U.S. and approached targets with an offer to review drafts on foreign policy topics.

In many cases, the attackers insert other personas in the conversation to add a sense of legitimacy and establish a rapport with the target.

Charming Kitten’s impersonation or fake persona assumption in phishing attacks has been documented, and so has its use of ‘sock puppets’ to create realistic conversation threads.

Attacks on Windows

After gaining the target’s trust, Charming Kitten sends a malicious link that contains a Google Script macro, redirecting the victim to a Dropbox URL.

This external source hosts a password-protected RAR archive with a malware dropper that leverages PowerShell code and an LNK file to stage the malware from a cloud hosting provider.

The final payload is GorjolEcho, a simple backdoor that accepts and executes commands from its remote operators.

To avoid raising suspicion, GorjolEcho will open a PDF with a topic relevant to the discussion the attackers had with the target previously.

Attacks on macOS

If the victim uses macOS, which the hackers typically realize after they fail to infect them with the Windows payload, they send a new link to “library-store[.]camdvr[.]org” that hosts a ZIP file masquerading as a RUSI (Royal United Services Institute) VPN app.

When executing the Apple script file in the archive, a curl command fetches the NokNok payload and establishes a backdoor onto the victim’s system.

NokNok generates a system identifier and then uses four bash script modules to set persistence, establish communication with the command and control (C2) server, and then starts exfiltrating data to it.

The NokNok malware gathers system information that includes the version of  the OS, running processes, and installed applications.

NokNok encrypts all collected data, encodes it in the base64 format, and exfiltrates it.

Proofpoint also mentions that NokNok might feature more specific espionage-related functionality through other unseen modules.

The suspicion is based on code similarities to GhostEcho, previously analyzed by Check Point.

That backdoor featured modules that allowed taking screenshots, command execution, and cleaning the infection trail. It is likely that NokNok has these functions too.

Overall, this campaign shows that Charming Kitten has a high degree of adaptability, is capable of targeting macOS systems when necessary, and highlights the growing threat of sophisticated malware campaigns to macOS users.